Age | Commit message (Collapse) | Author | Files | Lines |
|
passdb in 3_0 (they are still in trunk).
Guenther
(This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
|
|
free()'s on exit
(This used to be commit a882a349df1488a4d64c892dbd1ec1ee3624ea42)
|
|
Jeremy.
(This used to be commit 54ac409d4fd3b6e8e2bd338dabed446a92507811)
|
|
don't leave administator-sid unmapped. Simply return "Administrator"
Guenther
(This used to be commit 168ddf31d1af49d52d17dd09c9653d3deafb9442)
|
|
* added SE_PRIV checks to access_check_samr_object() in order
to deal with the run-time security descriptor and their
interaction with user rights
* Reordered original patch in _samr_set_userinfo[2] to still
allow root/administrative password changes for users and machines.
(This used to be commit f9f9e6039bd9443d54445e41c3783a2be18925fb)
|
|
(This used to be commit 8946efe102f7a8a9b5a8059a80666b782159e7b8)
|
|
When migrating account policies to ldapsam, handle the fact that an
admin might have changed the default location of the sambaDomain-object
after installation.
Guenther
(This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
|
|
administrator-sid mapping completely.
Guenther
(This used to be commit 4cbe37ecd544b01c57c7fce5b3be28669f4ba6c3)
|
|
Give the admin-user (rid 500) a chance to be found in passdb, not
returning the (possibly obscure) first entry of "admin users" before
that.
Guenther
(This used to be commit d319c0e189bc67a4552dafaff80113603b551eb3)
|
|
Guenther
(This used to be commit eee0bd806b4fd4558f9c48c09f7e85274e2b807f)
|
|
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.
Guenther
(This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
|
|
profile path, logon home and logon script values
(This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
|
|
ldapsam:trusted=True. Don't bail out when ldap-search returns pure
posixgroups (w.o. samba group-mapping).
This way those unix-memberships do not appear in user and nt user token.
Volker, could you please look over that one?
Guenther
(This used to be commit 853a8b7f1c0b00b2e4433d1281f3c9bfcaf980a6)
|
|
This allows the ldap-backend to search much more effeciently. Machines
will be searched in the ldap_machine_suffix and users in the
ldap_users_suffix. (Note that we already use the ldap_group_suffix in
ldapsam_setsamgrent for quite some time).
Using the specific ldap-bases becomes notably important in large
domains: On my testmachine "net rpc trustdom list" has to search through
40k accounts just to list 3 interdomain-trust-accounts, similiar effects
show up the non-user query_dispinfo-calls, etc.
Also renamed all_machines to only_machines in load_sampwd_entries()
since that reflects better what is really meant.
Guenther
(This used to be commit 6394257cc721ca739bda0e320375f04506913533)
|
|
controls or extensions.
* Check and remember if ldapsam's LDAP Server support paged results
(in preparation of adding async paged-results to set|get|end-sampwent in
ldapsam).
Guenther
(This used to be commit ced58bd8849cdef78513674dff1b1ec331945aa9)
|
|
(This used to be commit ed38e6026494a2b58c70cc175c6e210bea454e5c)
|
|
(This used to be commit 760455875f78a29c3fedd7de3671d6ae537c1d1a)
|
|
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
|
|
(based on Simo's code in trunk). Rewritten with the
following changes:
* privilege set is based on a 32-bit mask instead of strings
(plans are to extend this to a 64 or 128-bit mask before
the next 3.0.11preX release).
* Remove the privilege code from the passdb API
(replication to come later)
* Only support the minimum amount of privileges that make
sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
instead of the 'is a member of "Domain Admins"?' check that started
all this.
Still todo:
* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
Samba DC to another.
* Come up with some management tool for manipultaing privileges
instead of user manager since it is buggy when run on a 2k client
(haven't tried xp). Works ok on NT4.
(This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
- Use new DTD URL in pdb_xml
(This used to be commit 99dc2f36d1f637906d47e98dbd4d5eb1f1cc4357)
|
|
Jeremy.
(This used to be commit 05b905a28f349a2741e0963e41ad624a8f0b9fb8)
|
|
Jeremy.
(This used to be commit 8e979772a640bb4f00f4d72b6a9c837b8ef14333)
|
|
(This used to be commit 2d952c86c7e92fff48b4773ab46987d905b214cc)
|
|
This fixes Bugzilla #1076 and Exchange 5.5 SP4 can then be finally
installed on NT4 in a samba-controlled domain.
Guenther
(This used to be commit bb191c1098dea06bf2cd89276c74e32279fbb3d4)
|
|
(This used to be commit dbfdde5f63f34fbe4ba1d794fcfc120178ff039a)
|
|
(This used to be commit 3bd72b864f18f6fad0357c8aa632121f14e422ab)
|
|
abartlet, I'd like to ask you to take a severe look at this!
We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.
The parameter to activate this ldapsam behaviour is
ldapsam:trusted = yes
Volker
(This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
|
|
retrieval by pdb_getsampwsid. This solves our problem that we do lots of calls
to LDAP during a typical XP login. XP does a lookupnames, then an openuser and
some queryinfo stuff. Lookupnames triggers the initial getsampwnam, and all
the subsequent ones make us call getsampwsid. This patch gets this down to one
call to LDAP.
Yes, a more "correct" way would be to stick the information to the open user
handle, but this one is simpler and saves the LDAP roundtrip for the openuser
call.
Volker
(This used to be commit 3d9758fa3c584bb25eca0b7ed04af4ddfeba315f)
|
|
Guenther
(This used to be commit 906d5f88aabf091ee273e0ed9c3d2947b22c5390)
|
|
implementation does
not exactly match what you would expect.
XP workstations during login actually do this, so we should better become a
bit more correct. The LDAP query issued is not really fully optimal, but it is
a lot faster and more correct than what was there before. The change in
passdb.h makes it possible that queryuseraliases is done with a single ldap
query.
Volker
(This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
|
|
session
setups on its way to open a pipe. This gets rid of many round-trips to the
LDAP server during logon by setting up the server_info_guest once and not
asking the LDAP server and nss every time. Make sure that the ldap connection
is reopened in the child. (I did not look at the sql backends.)
Volker
(This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
|
|
Guenther
(This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
|
|
Currently we cannot store more then 15 password history entries (windows
NT4 allows to store 24) in ldapsam. When choosing more then "15" with
pdbedit -P "password history", we fail to initialize the password
history upon password change and overwrite the history, effectively
using a password history of "1". We do already decrease any
history-policy larger then 15 to 15 while storing the password history
list attribute in ldap.
Guenther
(This used to be commit a4b47e71475a06c2e2287613b00648c5f53ae52c)
|
|
smb.conf-parameter for samba's "algorithmic rid base" in ldapsam are
identical.
It tried to get the value of LDAP_ATTR_ALGORITHMIC_RID_BASE via
get_userattr_key2string() for a very long time now. This just can not
work because LDAP_ATTR_ALGORITHMIC_RID_BASE is neither in attrib_map_v22
nor in attrib_map_v30. Instead, get it directly from dominfo_attr_list.
Ldapsam will now correctly refuse to initialize when admins tried
manually to have differing values for "algorithmic rid base" in ldap and
smb.conf. idmap_ldap is another story...
Guenther
(This used to be commit c5b8bc6c2e9a3f789f41742438b31152721c0bf4)
|
|
supports it. This might be a fix for bugs 1823 and 1545, notifying both.
Also ignore object class violation errors from the extended operation. We
don't have the userPassword field in sambaSamAccount, and if we have such
broken setup with user in /etc/passwd and only samba attribs in ldap, we fail
this :-)
Volker
(This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
|
|
Jeremy.
(This used to be commit 0351bf8b03306246efc17e532ebe78ecdafb645d)
|
|
(This used to be commit 8be3fa5bfa80b51f30f1c93a7fc9e95e2b1996a7)
|
|
attributes to
delete.
Richard, IMHO this is the better solution to the problem you currently
have. Please review.
Thanks,
Volker
(This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
|
|
ldapsam_compat. Be robust against NULL attributes.
Jeremy.
(This used to be commit 727fc341b578577c112e97b0ef6f4c7f8bd15f66)
|
|
Jeremy.
(This used to be commit 8ae10c74ec45f1493aa15ee812ff37b86c8fc439)
|
|
some error exits.
Jeremy.
(This used to be commit e2b0b9fb72559a9629b116a7e063de08a12e9eb1)
|
|
recursion
loop between uid_to_sid -> getsampwnam -> uid_to_sid. It needs further
inspection.
Volker
(This used to be commit 67d8bc48531dd1a7d9b5db93f7d71f920a27e8fb)
|
|
uid_to_sid() and gid_to_sid() in pdb_set_sam_sids().
Jeremy.
(This used to be commit dae084d7134ae3f532861210907cd252d0001c9b)
|
|
that's what it actually does, and "fallback_" is just
confusing.
Jeremy.
(This used to be commit f44b4ba38147e353716c02c899bd45beaf71e6ad)
|
|
logon hours attributes in an LDAP database.
Jeremy.
(This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
|
|
Jeremy.
(This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
|
|
consists of a 16 byte salt, followed by the 16 byte MD5 hash of
the concatination of the salt plus the NThash of the historical
password. Allows these to be exposed in LDAP without security issues.
Jeremy.
(This used to be commit 82e4036aaa2d283534a5bd8149857320fcf0d0dc)
|
|
save the password as it is being changed into the password
history list.
Jeremy.
(This used to be commit 4fd619d7e16b5f759e6dc8360ad192457b3c90b9)
|
|
of zero)
leave it locked out until an admin unlocks it (but log a message).
Jeremy.
(This used to be commit 14bd2a9ffc30d55d9737b4819797db8c38b46c66)
|